Business espionage and cybercriminals listening in on potential deals makes the business landscape a place where digital security can make or break a company. With 15 years under his belt consulting or running his own businesses, Stephen Carnes, president of Kryptos Communications Inc., knows this well.
While working on big deals, clients would often ask to meet in person, flying halfway across the country to relay sensitive information rather than tell it over the phone. Carnes said, “So many times it can be just a two-minute part of the conversation they just didn’t want anybody to hear. So I thought, well gee, shouldn’t there be a better way of doing this?”
A quick look at the market was all it took to reveal a need. Options are limited for anyone wanting secure phone calls—typically falling to specialized phones costing more than $1,000 that only work after users exchange secure serial numbers. The problem is, not everyone owns one of these phones and most companies would rather not have a business deal hanging on the post office delivering a special phone.
The idea was simple and would not rely on special equipment. Growing use of smartphones opens new doors—particularly their ability to download software at the press of a button. So Carnes decided to build an app that he dubbed Kryptos.
Put simply, when a cell phone calls another phone, it wraps the audio information into a packet and bounces it off a cellular tower to reach its target. The problem is that while the towers check to make sure cell phones are from paying clients, the phones themselves have no way to tell if a tower is real or not. Criminals thus set up fake towers to steal data as it is transferred.
Kryptos gets around this by bypassing regular cell signals altogether and goes through wireless Internet 3G, 4G, or WiFi networks. It also uses peer-to-peer communications, speaking directly to another cell phone without needing a server in the middle, as “the server would be vulnerable to attack and eavesdroppers,” Carnes said.
To top it off, even if the data is intercepted, Kryptos scrambles it with military grade encryption. If a criminal gets their hands on it, the data will just be an unusable mess nearly impossible to decipher.
Although it stands as one of the lesser-acknowledged evils of cybercrime, intercepting cell phone calls is about as easy as it gets. Most cell phones use GSM, a mobile phone network designed in 1982 that is riddled with security holes.
By intercepting cell phone calls, criminals can grab not only the contents of a call, but also data about a user.
The vulnerabilities have been exposed, but many cell phones still run on the GSM network. The problem is that in order to close the gap, cellular providers would need to redesign the GSM system, change every phone, change every cell tower, and change every network behind them, according to ethical hacker Chris Paget.
Using a laptop and a $1,500 homemade device, Paget intercepted 30 cell phone signals from a live audience during a July 2010 Defcon hacker conference in Las Vegas in an attempt to raise concern around the problem. His hack worked on both GSM and 2G signals.
“I can sit here for the next 20 minutes, half an hour, and every AT&T cell phone in the room will gradually hand over to my network, gradually start giving me all your traffic,” Paget said in a Defcon recording of his speech, after he set his computer to pose as an AT&T cellular tower.
Read the full story here.